DHS election cybersecurity aid draws less than half the states
The Department of Homeland Security wants to make sure your votes aren't hacked in future elections. Not every state is interested in its help.
US Secretary of Homeland Security Kirstjen Nielsen and her predecessor Jeh Johnson testify on election security during a Senate Select Intelligence Committee hearing on March 21, 2018.
Not every US election official is giving the Department of Homeland Security a vote of confidence for cybersecurity.
The Senate intelligence committee hosted an open hearing on Wednesday to discuss cybersecurity for elections. DHS Secretary Kirstjen Nielsen and former secretary Jeh Johnson both testified.
The committee asked the DHS to explain what it's doing to ensure that future elections are safe from cyberattacks. The agency said it had the necessary resources. Still, not all election officials were interested in what the DHS had to offer.
While the DHS provides voluntary cybersecurity reviews for all 50 states, only 19 have reached out, Nielsen said.
"It's very difficult if a state does not want to be identified, because it's a voluntary relationship," Nielsen said.
She warned that the 2018 midterm elections and future elections are "clearly potential targets for Russian hacking attempts," and the agency hopes more states will opt in.
US lawmakers have taken a closer look at election security since the DHS last September revealed that Russian hackers attempted to break into voting systems across 21 states during the 2016 presidential election. While they weren't able to alter any votes, the hackers breached at least one voter database in Illinois, accessing 90,000 voter registration records.
"Elections, at all levels, are central to our democracy, to our institutions and to our government's legitimacy. And I remain concerned that we are still not prepared," Sen. Mark Warner, a Democrat from Virginia and the committee's vice chairman, said in his opening statement.
The DHS said it has steadily improved its outreach over the last year, providing cybersecurity resources and training to local election officials in preparation for the 2018 midterms, but it's been a difficult process with so many states failing to take part.
Nielsen didn't name the states that chose not to accept the DHS' help. In response, Warner said citizens deserve to know.
"Even if you don't want to highlight this, someone needs to highlight those states or localities that choose not to participate," Warner said. "The public has a right to know if their state or their community is ignoring this problem."
Because elections are run by the states, security measures have varied across the nation. Johnson reached out to state election officials in August 2016, when he wanted to designate election systems as critical infrastructure. He didn't get a warm reception.
"The reaction I got was largely neutral to negative," he said.
Only 19 states have reached out for Risk and Vulnerability assessments, the agency's "most comprehensive assessment," a DHS official said. Another 32 states have requested "cyber hygiene scans," which are done remotely and aren't as robust.
The committee said the agency needs to be more helpful in its outreach. The DHS works with voting-machine vendors, shares classified information with election officials and provides cybersecurity check-ups. But it isn't fast enough, said Sen. Richard Burr, the North Carolina Republican who serves as the committee's chairman.
"There's a long wait time for DHS premier services," he said. "States are still not getting all the information they feel they need to secure their systems."
In some cases, states that did reach out to the DHS eventually stopped, which Nielsen said also caused problems.
"When they stop reporting, we're just not aware of the attacks," she said. "Not only can we not help them, but we can't help other victims that are likely to be victimized in the near future based on the same vulnerabilities."
The DHS is looking to grant security clearances for three election officials from each state, so they can warn all 150 officials about classified threats. It's been a slow process, with only 20 officials who have received the clearances so far.
Sen. Ron Wyden, a Democrat from Oregon, also called out the fact that 43 percent of American voters use voting machines with serious security flaws. Nielsen told the committee that no single federal agency has the authority to mandate basic cybersecurity of electronic voting machines.
Sen. Angus King, an independent from Maine, suggested to Nielsen that the DHS should create its own hacking team and target the states that haven't accepted the agency's help.
"Hack some of these states, and show them how vulnerable they are. I don't think they're going to believe it until you show them what people can do," he said. "This country has to wake up."
Updated at 2:29 p.m. PT: To include a statement from the DHS.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.